Privacy

Information on the processing of personal data

Statement on personal data protection

1. Introduction

The Company respects your privacy and would like to provide you with information in this document (hereinafter: Statement) in a clear and transparent manner about which personal data the Company collects, as well as the legal basis on which the Company processes personal data and ultimately how the Company protects personal data in accordance with the general regulation on data protection (GDPR) and other applicable regulations.

Respondents to whom this Statement refers are users of the KYC.hr application (hereinafter: Application), visitors to the website https//:www.kyc.hr, visitors to the Company's official premises and all other persons whose personal data is processed by the Company.

Please read this Statement carefully, which contains our privacy policy and information about how the Company uses your personal data when you visit our website, use our service, the Application or if you communicate with us for other reasons.

This Statement applies in all cases of processing your personal data. In some special and specific cases of the processing of your personal data, the Company can provide you with a special Statement on the processing of personal data, which will contain the privacy policy related to these cases of personal data processing.

In case of any questions, feel free to contact us in the manner provided for in the Declaration, point 5.

2. Definitions and terms

In this Statement, unless otherwise specified, the following words and expressions have the meanings set forth below:

• Application: the Company's software solution, which can be accessed via the Company's website.
• Biometric data: means personal data obtained through special technical processing related to physical characteristics, physiological characteristics of an individual's behavior that enable or confirm the unique identification of that individual, such as facial photographs or dactyloscopic data.
• Breach of personal data: means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data that has been transmitted, stored or otherwise processed.
• Client: any natural or legal person who, in the Company's Application, enters into a contract for the performance of services offered by the Company.
• Company: means a natural or legal person engaged in economic activity, regardless of the legal form of that activity, including partnerships or associations that regularly engage in economic activity.
• Consent: means any voluntary, special, informed and unequivocal expression of the Respondent's wishes by which he consents to the processing of personal data relating to him by a statement or a clear affirmative action.
• Controller: means a natural or legal person, public authority, agency or other body that alone or together with others determines the purposes and means of personal data processing; when the purposes and means of such processing are determined by the law of the Union or the law of a Member State, the controller or special criteria for his appointment may be provided for by the law of the Union or the law of the Member State.
• Data related to health: means personal data related to the physical or mental health of an individual, including the provision of health services, to which is added information about his state of health.
• Genetic data: means personal data related to the inherited or acquired genetic characteristics of an individual that provide unique information about the physiology or health of that individual and which are obtained in particular by analyzing the biological sample of the individual in question.
• Limitation of processing: means marking stored personal data with the aim of limiting their processing in the future.
• Personal data: is any data relating to an individual whose identity has been determined or can be determined (hereinafter: Respondent); an identifiable individual is a person who can be identified directly or indirectly, in particular with the help of identifiers such as name, identification number, location data, online identifier or with the help of one or more factors inherent to physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
• Processor: means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
• Processing: means any procedure or set of procedures performed on personal data or on sets of personal data, whether by automated or non-automated means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transfer, dissemination or otherwise making available, matching or combining.
• Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects related to an individual, in particular to analyze or predict aspects related to work performance, economic condition, health, personal preferences, interests, reliability, the behavior, location or movement of that individual.
• Pseudonymization: means the processing of personal data in such a way that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data cannot be attributed to an individual whose identity has been determined or can be determined.
• Recipient: means a natural or legal person, public authority, agency or other body to which personal data is disclosed, regardless of whether it is a third party. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law are not considered recipients; the processing of this data by these public authorities must be in accordance with the applicable data protection rules according to the purposes of the processing.
• Storage system: means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
• Third party: means a natural or legal person, public authority, agency or other body that is not the Respondent, data controller, processor or persons authorized to process personal data under the direct authority of the data controller or processor.
• Website: https://www.kyc.hr.

3. Versions and Updates

We will update this Statement from time to time, so that it always contains accurate and reliable information about how the Company collects and use your personal data. The Company will notify you of any changes in the processing method by updating our privacy policy and this Statement on the Processing of Personal Data.

You can always find the current statement on the Website.

4. About us

For the purposes of this Statement and the applicable regulations on personal data protection, including the General Regulation on the Protection of Personal Data (EU) 2016/679 (hereinafter: "General Regulation" or "GDPR"), the Company informs you of the following:

• The data controller and the company responsible for processing your personal data is KYC d.o.o., headquartered in Zagreb, Street and house number, OIB: 12345678910 (hereinafter: "Company").
• Personal data protection officer: Krešimir Jušinski.
• Executor of data processing: Berislav Vranešić.

Legal basis for processing personal data

Based on the contract concluded on this Website, the Company provides its clients with the service of performing actions described and defined by the Law on Prevention of Money Laundering and Financing of Terrorism.

This means that when you become a Client of the Company, the Company will be responsible for the processing of your personal data, as the Data Processing Manager.

5. Contact

In case you have any question related to the protection of your personal data, you can contact us in the following ways:

• to contact the personal data protection officer: dpo@kyc.hr.

6. Reasons for collecting personal data

KYC d.o.o. is a trading company that, among other things, deals with the provision of services:

• a
• b...

The Company collects different types of personal data about you, depending on your relationship with us and/or the reasons for our communication.

7. Ways of collecting personal data

The Company collects your personal data from you directly, indirectly or automatically. Any processing of personal data must be legal, and the data must be collected for specific purposes.

Directly from you

For example, in the following cases, the Company collects your personal data directly from you:

• when you open a user account or otherwise provide us with your personal data;
• when you pay the subscription;
• when you have any additional requests or complaints (communication with our staff);
• when you communicate with us on social networks, through the Application or via e-mail;
• when you participate in a prize game, competition, promotional campaign or survey;
• when you leave comments about our service;
• when you leave us your contact information;
• when you use our mobile Application.

Indirectly

The Company collects your personal data indirectly when they are transferred to us by another legal or natural person, for example in cases where the Company can receive data about you from payment service providers, etc.

Automatic

The Company collects your personal data through automated systems, for the purpose of improving the service or for security, for example in the following cases:

• by using this Website, the Company can collect certain information about how you use our Website, as well as device data (such as IP address, browser type);
• for security and to enable you to use our services optimally, the Company may record certain data about your device when you connect to our Application.

8. Types of personal data The Company collect

The Company collects data from natural or legal persons that is requested in the form for registering new clients, namely:

• Identification data: name and surname, i.e. company name, PIN or similar unique identification code), type of client and type of business activity in accordance with relevant laws.
• Contact information: address, e-mail address, telephone number, information about the language of the Application, contact person.
• Financial data: payment data that includes the account number (IBAN) in the business bank, the name of the bank where the Client has a business account, the transaction code (which may include data on the date, amount of the transaction, fee amounts, etc.).
• The Technical data the Company may collect includes the following: IP address, login data (date and time of login), data about your location, time zone, browser type and version, operating system and other data about the technology you use to access our Website.
• Usage data: includes data on how and in what way you use our Website and/or Application, products and services, which includes acceptance of the General Terms, GDPR, marketing and general settings of the Application.
• Marketing data: includes data about your contact preferences from the marketing domain.

The Company does not collect data on health and religion, genetic and biometric data from its Clients.

Through the forms that you will use as a Client of the Company, the Company can collect data related to natural or legal persons or related natural persons who are subject to verification in accordance with the Law on Prevention of Money Laundering and Financing of Terrorism, and the same may refer to:

• Identification data: first and last name, gender, date and place of birth, PIN or similar unique identification code), data found on an identity card or passport, data on the business bank where the party has a business account, as well as data on the party's account.
• Contact information: address, e-mail address, phone number.
• Data on qualitative and quantitative indicators of the business relationship between you and your break.
• We can also collect data on criminal offenses of your clients.

9. Legal basis for the use of personal data

We only process your personal data if the Company has a valid legal basis for doing so. Most often, it will be about the following legal grounds:

• Contract: if the potential Client refuses to provide any of the data necessary for the conclusion and execution of the contract in which the Client is the Respondent, the Company may not be able to provide certain and/or all services and the Company may refuse to conclude a contract, or business relationship with that potential Client.
• Fulfillment of the legal basis: the Company is obliged to apply certain legal regulations (e.g. the Accounting Act) on the basis of which the Company must collect certain data about the Client (user of the services provided by the Company), and in the event of not collecting adequate data, the Company may refuse to enter into a contractual relationship.
• Legitimate interest: in cases where your rights and freedoms do not outweigh our legitimate interests, the Company processes your data, for example, in order to better manage risks, achieve the highest reasonable and justified levels of information security, protection of confidential information, administrative business needs, etc. the Company does not uses your personal data based on this legal basis if the Company has assessed that this would adversely affect your privacy and that our legitimate interest does not outweigh the obligation to protect your rights and freedoms.
• Consent: the Company uses this legal basis as the basis for using our service, and it is given by the free will of the Client when opening a user account, which is the basis for using our service.

10. Your personal data

We collect different types of personal data from Customers, depending on the relationship you have with us and which services you use. In any case, the Company collects and process your personal data for lawful purposes and based on a valid legal basis.

In order to use our service, during the registration and activation of the service, the Company will collect and process the data specified in point 8, which the Company needs in order to provide you with the best and highest quality service and adapt the Application for your use.

We also collect some data during registration in order to fulfill our legal obligations.

In addition to collecting data for the purpose of fulfilling contracts and fulfilling our legal obligations, the Company also processes data because it is in our legitimate interest, but only when our legitimate interest, based on the assessment the Company has made, does not outweigh the obligation to protect your privacy. Such situations are, for example, direct marketing or recording of our business premises or telephone conversations.

For some types of data processing, several legal bases of data processing are applicable, depending on the circumstances and context. For example, when the Company processses your personal data for the purpose of issuing invoices, the Company does so both on a contractual basis and to comply with our obligations arising from accounting regulations.

In the table, the Company has listed some basic ways in which the Company collects your personal data.

11. Cookies

Our Website collects cookies that contain certain information about how and in what way you use our Website. Cookies are small text records that contain a unique identification and reference code that the Internet browser saves on your device and with which the Company can recognize you again when you access our Website.

The Company does not use this information to identify you, nor do the Company uses third-party cookies to do so. Some cookies the Company collects only last for the duration of your use of our site, and some last a little longer, so that the Company can recognize you again when you access our site again.

Cookies are small text files that our Internet server places on your device's Internet browser for the purpose of tracking the selection of certain language variants of pages, as well as when entering parts of the Internet page that require the entry of a username or password. Any reference to or mention of cookies in this Statement includes other types of automated access or storage of information on your device. Cookies cannot be used to run programs or install viruses on your computer. Some cookies that our internet server sets are automatically deleted from your computer at the end of the session, i.e. the moment you leave our pages.

When you access the Website, you may receive a message informing you about the use of cookies on the Website. In order to deliver this message to you, The Company had to use cookies. In case you decide to use the Website and agree to the use of cookies, further cookies will be stored on your device in the manner described above.

By blocking cookies, you can still browse the Website, but some of its features may not be available to you.

In order for the Website to function quickly, securely and properly, it collects mandatory cookies that cannot be turned off. They are usually set in reaction to your actions such as: privacy settings, logging in or filling out forms.

Types of cookies

Technical cookies - mandatory cookies (always active) - necessary for the functioning of the Website and cannot be turned off in our systems. They are typically set in response to your actions involving a request for services, such as cookie settings, logging in, or filling out forms. You can set your browser to block these cookies or send a warning about them, but in this case some parts of the Website may not work. These cookies do not store any information that could identify you.

Functional cookies - (can be turned off) - enable the Website to provide improved functionality and personalization. They may be set by us or by third-party service providers whose services have been added to our sites. If you do not enable these cookies, some of these functions may not function properly.

Statistical cookies - (can be turned off) - enable recording of visits and sources of traffic for the purpose of measuring and improving the efficiency of the Internet site. If you do not enable these cookies, the Company will not know when you visited our Website and will not be able to monitor its effectiveness. They do not store personal data directly, but are based on the unique identification of your browser and internet device.

Marketing cookies - (can be turned off) - serve to track users through the Website and display targeted ads. They are used to monitor the success of marketing communication and advertising. They collect data on behavior and movement on the Website, in order to adjust targeted ads. If you do not enable these cookies, you will experience less targeted advertising.

The company uses cookies to collect the following types of data:

• Necessary information about the functioning of the Website and the Application. Information about logins or access to Websites and the use of services in order to apply security measures or adapt the Website and/or Application to the settings on your device (language, operating system, screen size, etc.). These data collection systems also allow you to access your personal account on the Internet page or the Application.
• Analytical data about the use of the Website and/or Application. The Company uses them to create statistical data about the views of the Website and the use of its various parts (visits to the Website and viewed contents, user's method of use, etc.) which help us improve the content on the Website, i.e. the Application and improve the quality of our services.
• We use marketing data to analyze the use of the Website and advertisements that may be displayed on the Website so that The Company can offer you ads that match your interests on the Website or the Websites of our other projects. These data collection systems specifically enable us to (i) count and identify displayed ads, (ii) count users who clicked on each of the ads, and (iii) in such a case, monitor the behavior of such users on the pages to which these ads lead.

We may also share with our partners some of the data collected using the data collection systems to enable them to conduct research on visitor behavior.

Disabling cookies

You can disable cookies by activating a setting in your browser that allows you to refuse the setting of all or certain cookies. By blocking cookies, you will still be able to browse our pages, but certain functionalities will be limited.

To find out more about cookies, including how to see which cookies have been set and how to manage them, visit www.aboutcookies.org or www.allaboutcookies.org.

To opt-out of Google Analytics tracking on all websites, visit http://tools.google.com/dlpage/gaoptout.

We use the Google Analytics service. The Company uses the option only with your consent, and you can manage the user options in the cookie browser.

Change settings

At any time, you can review or change your settings related to data collection systems. In the Internet browser settings, you can set whether you want to accept or reject data collection systems sometimes or permanently. Please note, these settings may affect the operation of your internet browser and your use of services on the Website that require the use of data collection systems.

With a simple Internet search, you will find instructions on how to adjust your Internet browser settings to optimize your user experience.

Direct marketing

Direct marketing is sending promotional offers with which the Company offers similar services to your email address. The Company communicates with you in this way based on legitimate interest.

With each such communication, the Company will inform you of the possibility to unsubscribe in a simple way (by clicking on the link) and ask us not to contact you in this way again. In addition, you can contact us in writing at our e-mail address dpo@kyc.hr.

11. Personalization and advertising

For the purpose of personalizing the service, the Company uses Identification data, Contact data and Transaction data. On a general level, the Company can analyze the behavior of our users and try to assess their specific interests. Based on this, the Company can group users and display personalized ads and offers based on such segmentation.

The fact that you see one of our ads does not mean that the Company has created and used the data from your user account, but it is also possible that the Company has only leased advertising space. In cases where the Company sends targeted ads, the Company does so on the basis of retargeting, and perhaps in cooperation with partners. Even then, this is not a confirmation that the Company created your profile, but it is possible that our partner - e.g. Facebook or Google - on the basis of other options and your use of other Internet pages that the Company has no insight into, estimated that you belong to the target group that might be interested in our ads.

Automatic data processing for advertising purposes has no impact on your rights or on our services that you can use.

12. Statistics

For the needs of our business, strategic planning and making important business decisions, the Company uses statistical data analysis. This means that, on the basis of legitimate interest, the Company will process data about you that the Company has collected and processed on the basis of some other legal basis, for example to comply with legal obligations or to fulfill a contract, for another purpose.

When the Company processrs your data for statistical purposes, the Company further uses it exclusively in an aggregated, depersonalized form. This means that these data can no longer be linked to you in any way and no longer represent your personal data.

13. Recipients of personal data

The Company does not share your personal data with third parties for the purpose of advertising their services. The Company will not sell your personal information to third parties.

In certain cases, the Company will share your personal information with other recipients, namely:

• with related companies;
• in cases where it is necessary to share your personal data so that the Company can fulfill the contract in which you are a party;
• in cases where you have agreed to share your personal data with a third party (e.g. in the case of using cookies);
• with judicial, tax, audit and other competent authorities, when the Company has reason to believe that the Company is obliged to share such data based on the law and other regulations (for example, based on the request of the tax authority or in connection with an expected legal dispute);
• with other personal data processing service providers if the Company enter into a contractual relationship with such legal entities, of which our Clients will be separately informed;
• with other service providers, who provide a specific service on our behalf, including external consultants, advisory service providers, professional advisors such as auditors, lawyers or accountants, marketing and market research agencies, technical support service providers and IT consultants who carry out certain tests or work on developing technical solutions in our systems;
• in the event of a merger or takeover of the Company in the future, the Company may share your personal data with the new owners of the Company, and certain personal data may also be transferred during the purchase process, to potential customers and their advisors, as part of the due diligence procedure.

14. Cross-border data transfers

We want to ensure that your personal data is stored and transmitted securely. Therefore, the Company will only transfer data outside the European Economic Area (hereinafter: EEA) if this is in accordance with the applicable data protection regulations and if the means of transfer ensure an adequate level of security for your data, for example:

• by transferring data to a third country, based on the decision of the European Commission on adequacy, which determined that the legislation of that country ensures an adequate level of data protection; or
• a data transfer agreement concluded with a third party, which contains standard contractual clauses accepted by the European Commission for cases of data transfer within the EEA, to managers and executors in jurisdictions without an adequate level of data protection; or
• if you have expressly consented to data transfer.

When the Company transfer your data outside the EEA and in cases where the country or territory to which the data is transferred does not provide an adequate level of data protection, the Company will take all reasonable steps to ensure that your data is handled securely, and in accordance with the privacy policy contained in this Statement.

15. Security of personal data

We apply reasonable and justified technical and organizational measures to ensure the security of your data, as well as to protect against accidental or intentional unauthorized access, loss or alteration. The Company has ensured that data is accessed only by those persons who have a business need and approval for this, exclusively for purposes that are permitted and about which you have been informed, and that these persons are under an obligation to keep your data confidential.

If you suspect any unauthorized use, loss or unauthorized access to your personal data, please notify us at the contacts listed in point 5.

16. Data storage and retention periods

We keep your data as long as necessary in accordance with the purpose for which it was collected, including for the purpose of acting in accordance with legal obligations. After the storage period has expired, the Company will delete the data, and in cases where this is not technically possible, the Company will make the data unreadable. In the event that the Company still needs some data for legitimate business purposes after the retention period for that data has expired, the Company will take appropriate steps to pseudonymize that data.

According to the law, the Company keeps data about Clients for at least five years after closing the service.

We keep data related to accounting regulations for 11 years. This includes accounts that may contain your personal information.

In the case of using credit card data in case of collection of the guarantee amount, the Company store them in accordance with accounting regulations.

We store data based on our legitimate interest in accordance with justified and reasonable business needs.

We keep data related to video surveillance for up to three days.

We keep the data the Company collect on the basis of consent until the consent is withdrawn.

17. Place of personal data processing

The company processes and stores personal data within the European Union and the European Economic Area. In the event of a justified business need to transfer personal data to third countries, the Company will perform the actions described in section 14.

18. Your rights regarding the processing of personal data

Access: you have the right to access your personal data at any time through the Application, by sending a request to request the delivery of all your personal data that the Company processes.

Restriction of processing: you have the right to object to certain processing activities, for example if the Company processes your personal data based on a legitimate interest.

Transfer: You have the right to request the transfer of personal data to another service provider – in practice, this means that you have the right to request that the Company provides you with any personal data the Company processes in a machine-readable form or request that the Company provides it directly to another company.

Correction: you have the right to request an update of your personal data, correction or addition of your personal data at any time. You can do the same yourself through the Application.

Deletion: you have the right to request the deletion of your personal data. The Company will comply with your request, if the Company does not have a legal obligation or a justified reason of a legal or business nature to keep them.

Withdrawal of consent: in case the Company processes your data on the basis of consent, you are entitled to withdraw the given consent at any time. The Company will immediately stop processing personal data collected on the basis of this legal basis.

You can fulfill all requests by sending a written request to the business address of KYC d.o.o. in Zagreb, Street and house number (e.g. Data Protection Officer) or by e-mail dpo@kyc.hr.

Complaint. You are also authorized to submit a complaint to the local supervisory body for data protection - that is, the Personal Data Protection Agency, at the address:

Agency for the Protection of Personal Data

Selska cesta 136

HR – 10,000 Zagreb

Tel. +385 (1) 4609-000

Fax. + 385 (1) 4609-099

E-mail: azop@azop.hr

Website: www.azop.hr

We inform you that the Company will keep a record of our communication, so that the Company can solve any question you contact us with as efficiently as possible.

We process your rights free of charge, and only exceptionally, in accordance with the provisions of the General Terms and Conditions, will the Company charge you the administrative cost of processing the request. In this case, tgghe Company will inform you about it before the cost is incurred.